Share this story

The recent resurgence of the Hlux/Kelihos botnet, taken down last week by a team of security companies, demonstrates how hard it is to detect and permanently shut down the latest generation of botnets. And the arms race to counter botnets is only going to escalate further now that the sort of peer-to-peer technology used in Kelihos has become commoditized in Zeus, a botnet "platform" at the center of a thriving criminal software ecosystem.

Last week, Microsoft and its partners were able to take down a collection of Zeus botnets infecting more than 13 million PCs by seizing associated servers and domain names then disrupting their command and control (C&C) network. But those botnets were built using an older set of Zeus binaries. A newer version of the software incorporates peer-to-peer networking technology in a way that eliminates the need for a C&C server, rendering botnets immune to that sort of decapitating strike.

"The takedowns we saw (by Microsoft) will become less and less possible as people move their botnets from client-server architectures to peer-to-peer," said Wade Williamson, senior product manager at Palo Alto Networks.

Peer-to-peer networks don't necessarily make taking down botnets more difficult. "It's actually easier," Aviv Raff, CTO of security firm Seculert said. "As you can simply become part of the P2P botnet and the other member will then try to communicate with you."

Dave Marcus, director of advanced research and intelligence at McAfee, agrees. "It's not going to make takedowns more challenging in the long term," he told Ars. However, the way they conceal communications may cause "a bump in the road short term" in detecting them within networks.

P2P's main purpose in a botnet has less to do with resilience than it does with covering tracks. It hides the command and control operation that drives them, making tracking down those operating botnets that much harder. Also, since command and control isn't centralized to a specific server, P2P gives botnet operators a way to fight takedowns by security professionals or takeover attempts by other botnet wranglers.

Where we're going, we don't need servers

Peer-to-peer botnets are hardly new. The Alureon / TLD4 botnet, for example can survive indefinitely if it loses contact with its C&C network. These networks are difficult to detect. They use network traffic that looks, at least on the surface, like SSL-based web requests—except that they use their own embedded encryption. The anonymity and stability of those networks make them very profitable for botnet operators. In some cases, they even sell access to their anonymizing network as one of their services to help others conceal themselves in other criminal activities—like a malign version of the Tor Network.

What is new in the latest version of Zeus, says Williamson, is what he called the “peer-to-peer-to-peer” approach showing up in the last month or so in Zeus as part of financial fraud attacks—botnets that have no conventional C&C at all.

In the realm of blackmarket "commercial" botnets, the developers of Zeus and SpyEye—once a competitor to Zeus in the botnet marketplace, but now believed to have been merged into the Zeus code tree—have focused on creating a communications infrastructure for bots rather than on specific behaviors. Those have generally been left to the thriving marketplace of exploit developers who build software modules for the Zeus/SpyEye bot builders. "The infrastructure is always more important than the action the botnet is taking," Williamson said. "They think of a botnet as a communications platform."

In an analysis of the new generation of C&C-less Zeus/SpyEye, Symantec noted last month that the botnets went beyond previous versions of Zeus. There was some peer-to-peer communication but primary control was through a command and control server. “Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the C&C server) was distributed from one peer to another,” Symantec reported. “This way, even if the C&C server was taken down, the botnet was still able to contact other peers to receive configuration files with URLs of new C&C servers.”

But with the older version of the peer-to-peer Zeus, it was still possible to observe communications with the C&C server and shut it down. In the current version, there's no obvious communications with the C&C server at all. On top of that, the bots' communication to exchange configuration information is in UDP packets rather than TCP. This makes it more difficult to track communications because of the lack of handshaking and transactional state information in the former type of packets.

And each bot is a web server unto itself, allowing other bots to make encrypted HTTP requests over TCP for command and control information on a pseudorandom port set by the configuration. The result is that, unlike the Zeus botnets shut down by Microsoft, there's no way to decapitate ones built on the latest version. The compromised PCs are the servers themselves.

Taken by themselves, these improvements don't pose a huge challenge to security professionals. Marcus contends while the new Zeus bot's command and control approach is "clever," they won't help to evade good forensics.

But there's something else that sets the new Zeus apart from other peer-to-peer botnets—its brand-name appeal and ease of use. When purchased through underground software markets from its developers, Zeus comes with commercial support. With versions of Zeus floating around as “open source,” the developers of for-sale versions like the new P2P version of Zeus are “differentiating on quality of support now,” said Williamson. “This is going to be supported code, with all of the things you expect from a 'white-hat' software venture.”

Zeus has already gained a reputation both for being easy enough for almost any would-be criminal to use, and for being a hot market for add-on financial and other exploits. The new P2P version could give anyone with a few thousand dollars worth of Liberty Reserve funds everything they need to deploy a botnet that's harder to take down than Kelihos—especially if they're smart enough to monitor attempts by security professionals and other botnet operators to sinkhole their bots and counter them.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat